Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

Release Notes for the Cisco ASA Series, 9.3(x)

  • Viewing Options

  • PDF (351.5 KB)
  • EPUB (90.5 KB)
  • MOBI (132.2 KB)
  • Feedback

Table of Contents

Release Notes for the Cisco ASA Series, Version 9.3(x)

Important Notes

System Requirements

New Features

New Features in Version 9.3(2.200)

New Features in Version 9.3(2)

New Features in Version 9.3(1)

Upgrading the Software

Open Bugs

Resolved Bugs

Resolved Bugs in Version 9.3(2.200)

Resolved Bugs in Version 9.3(2)

Resolved Bugs in Version 9.3(1)

End-User License Agreement

Related Documentation

Obtaining Documentation and Submitting a Service Request

Release Notes for the Cisco ASA Series, Version 9.3(x)

Released: July 24, 2014
Updated: December 18, 2014

This document contains release information for Cisco ASA software Version 9.3(x).

Important Notes

  • Windows NT AAA server was deprecated—In ASA Version 9.3, the Windows NT AAA server is no longer supported.
  • (9.3(2)) SSLv3 deprecation and SSL server version default change—SSLv3 is now deprecated. The default for the ssl server-version command is now tlsv1 instead of any. If you configure any, sslv3, or sslv3-only, the command is accepted with a warning. In the next major ASA release, these keywords will be removed from the ASA.
  • ASA CX module upgrade requirements—For ASA Version 9.3(2) and later, only ASA CX Version 9.3.2.1 and later is supported. When upgrading your ASA, first upgrade the ASA CX software; otherwise the ASA CX module will become unresponsive.

System Requirements

For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility :

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

For VPN compatibility, see the Supported VPN Platforms, Cisco ASA 5500 Series :

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asa-vpn-compatibility.html

New Features


Note New, changed, and deprecated syslog messages are listed in the syslog message guide.


New Features in Version 9.3(2.200)

Released: December 18, 2014

The following table lists the new features for ASA Version 9.3(2.200).


Note This release supports only the ASAv.


 

Table 1 New Features for ASA Version 9.3(2.200)

Feature
Description
Platform Features

ASAv with KVM and Virtio

You can deploy the ASAv using the Kernel-based Virtual Machine (KVM) and the Virtio virtual interface driver.

New Features in Version 9.3(2)

Released: December 18, 2014

The following table lists the new features for ASA Version 9.3(2).

 

Table 2 New Features for ASA Version 9.3(2)

Feature
Description
Platform Features

ASA 5506-X

We introduced the ASA 5506-X.

We introduced or modified the following commands: service sw-reset-button, upgrade rommon, show environment temperature accelerator

ASA REST API 1.0.1

A REST API was added to support configuring and managing major functions of the ASA.

We introduced or modified the following commands: rest-api image, rest-api agent, show rest-api agent, debug rest-api, show version

Support for ASA image signing and verification

ASA images are now signed using a digital signature. The digital signature is verified after the ASA is booted.

We introduced the following commands: copy /noverify, verify /image-signature, show software authenticity keys, show software authenticity file, show software authenticity running, show software authenticity development, software authenticity development, software authenticity key add special, software authenticity key revoke special

Accelerated security path load balancing

The accelerated security path (ASP) load balancing mechanism reduces packet drop and improves throughput by allowing multiple cores of the CPU to receive packets from an interface receive ring and work on them independently.

We introduced the following command: asp load-balance per-packet-auto

 

Firewall Features

Configuration session for editing ACLs and objects.

Forward referencing of objects and ACLs in access rules.

You can now edit ACLs and objects in an isolated configuration session. You can also forward reference objects and ACLs, that is, configure rules and access groups for objects or ACLs that do not yet exist.

We introduced the following commands: clear configuration session, clear session, configure session, forward-reference, show configuration session

SIP support for Trust Verification Services, NAT66, CUCM 10.5, and model 8831 phones.

You can now configure Trust Verification Services servers in SIP inspection. You can also use NAT66. SIP inspection has been tested with CUCM 10.5.

We introduced the following command: trust-verification-server.

 

Unified Communications support for CUCM 10.5

SIP and SCCP inspections were tested and verified with Cisco Unified Communications Manager 10.5.

Remote Access Features

Browser support for Citrix VDI

We now support an HTML 5-based browser solution for accessing the Citrix VDI, without requiring the Citrix Receiver client on the desktop.

Clientless SSL VPN for Mac OSX 10.9

We now support Clientless SSL VPN features such as the rewriter, smart tunnels, and plugins on all browsers that are supported on Mac OSX 10.9.

Interoperability with standards-based, third-party, IKEv2 remote access clients

We now support VPN connectivity via standards-based, third-party, IKEv2 remote-access clients (in addition to AnyConnect). Authentication support includes preshared keys, certificates, and user authentication via the Extensible Authentication Protocol (EAP).

We introduced or modified the following commands: ikev2 remote-authentication, ikev2 local-authentication, clear vpn-sessiondb, show vpn-sessiondb, vpn-sessiondb logoff

 

Transport Layer Security (TLS) version 1.2 support

We now support TLS version 1.2 for secure message transmission for ASDM, Clientless SSVPN, and AnyConnect VPN.

We introduced or modified the following commands: ssl client-version, ssl server-version, ssl cipher, ssl trust-point, ssl dh-group, show ssl, show ssl cipher, show vpn-sessiondb

We deprecated the following command: ssl encryption

 

AnyConnect 4.0 support for TLS version 1.2

AnyConnect 4.0 now supports TLS version 1.2 with the following four additional cipher suites: DHE-RSA-AES256-SHA256, DHE-RSA-AES128-SHA256, AES256-SHA256, and AES128-SHA256.

Licensing Features

Cisco Smart Software Licensing for the ASAv

Smart Software Licensing lets you purchase and manage a pool of licenses. Unlike PAK licenses, smart licenses are not tied to a specific serial number. You can easily deploy or retire ASAvs without having to manage each unit’s license key. Smart Software Licensing also lets you see your license usage and needs at a glance.

We introduced the following commands: clear configure license, debug license agent, feature tier, http-proxy, license smart, license smart deregister, license smart register, license smart renew, show license, show running-config license, throughput level

 

High Availability Features

Lock configuration changes on the standby unit or standby context in a failover pair

You can now lock configuration changes on the standby unit (Active/Standby failover) or the standby context (Active/Active failover) so you cannot make changes on the standby unit outside normal configuration syncing.

We introduced the following command: failover standby config-lock

 

ASA clustering inter-site deployment in transparent mode with the ASA cluster firewalling between inside networks

You can now deploy a cluster in transparent mode between inside networks and the gateway router at each site (AKA East-West insertion), and extend the inside VLANs between sites. We recommend using Overlay Transport Virtualization (OTV), but you can use any method that ensures that the overlapping MAC Addresses and IP addresses of the gateway router do not leak between sites. Use a First Hop Redundancy Protocol (FHRP) such as HSRP to provide the same virtual MAC and IP addresses to the gateway routers.

Interface Features

Traffic Zones

You can group interfaces together into a traffic zone to accomplish traffic load balancing (using Equal Cost Multi-Path (ECMP) routing), route redundancy, and asymmetric routing across multiple interfaces.

Note You cannot apply a security policy to a named zone; the security policy is interface-based. When interfaces in a zone are configured with the same access rule, NAT, and service policy, then load-balancing and asymmetric routing operate correctly.

We introduced or modified the following commands: zone, zone-member, show running-config zone, clear configure zone, show zone, show asp table zone, show nameif zone, show conn long, show local-host zone, show route zone, show asp table routing, clear conn zone, clear local-host zone

 

Routing Features

BGP support for IPv6

We added support for IPv6.

We introduced or modified the following commands: address-family ipv6, bgp router-id, ipv6 prefix-list, ipv6 prefix-list description, ipv6 prefix-list sequence-number, match ipv6 next-hop, match ipv6 route-source, match ipv6- address prefix-list, set ipv6-address prefix -list, set ipv6 next-hop, set ipv6 next-hop peer-address

 

Monitoring Features

SNMP MIBs and traps

The CISCO-PRODUCTS-MIB and CISCO-ENTITY-VENDORTYPE-OID-MIB have been updated to support the new ASA 5506-X.

The ASA 5506-X have been added as new products to the SNMP sysObjectID OID and entPhysicalVendorType OID.

The ASA now supports the CISCO-CONFIG-MAN-MIB, which enables you to do the following:

  • Know which commands have been entered for a specific configuration.
  • Notify the NMS when a change has occurred in the running configuration.
  • Track the time stamps associated with the last time that the running configuration was changed or saved.
  • Track other changes to commands, such as terminal details and command sources.

We modified the following command: snmp-server enable traps

 

Showing route summary information for troubleshooting

The show route-summary command output has been added to the show tech-support detail command.

Management Features

System backup and restore

We now support complete system backup and restoration using the CLI.

We introduced the following commands: backup, restore

New Features in Version 9.3(1)

Released: July 24, 2014

Table 3 lists the new features for ASA Version 9.3(1).

 

Table 3 New Features for ASA Version 9.3(1)

Feature
Description
Firewall Features

SIP, SCCP, and TLS Proxy support for IPv6

You can now inspect IPv6 traffic when using SIP, SCCP, and TLS Proxy (using SIP or SCCP).

We did not modify any commands.

Support for Cisco Unified Communications Manager 8.6

The ASA now interoperates with Cisco Unified Communications Manager Version 8.6 (including SCCPv21 support).

We did not modify any commands.

Transactional Commit Model on rule engine for access groups and NAT

When enabled, a rule update is applied after the rule compilation is completed; without affecting the rule matching performance.

We introduced the following commands: asp rule-engine transactional-commit, show running-config asp rule-engine transactional-commit, clear configure asp rule-engine transactional-commit

 

Remote Access Features

XenDesktop 7 Support for clientless SSL VPN

We added support for XenDesktop 7 to clientless SSL VPN. When creating a bookmark with auto sign-on, you can now specify a landing page URL or a Control ID.

We did not modify any commands.

 

AnyConnect Custom Attribute Enhancements

Custom attributes define and configure AnyConnect features that have not been incorporated into the ASA, such as Deferred Upgrade. Custom attribute configuration has been enhanced to allow multiple values and longer values, and now requires a specification of their type, name and value. They can now be added to Dynamic Access Policies as well as Group Policies. Previously defined custom attributes will be updated to this enhanced configuration format upon upgrade to 9.3.x.

We introduced or modified the following commands: anyconnect-custom-attr, anyconnect-custom-data, and anyconnect-custom

 

AnyConnect Identity Extensions (ACIDex) for Desktop Platforms

ACIDex, also known as AnyConnect Endpoint Attributes or Mobile Posture, is the method used by the AnyConnect VPN client to communicate posture information to the ASA. Dynamic Access Polices use these endpoint attributes to authorize users.

The AnyConnect VPN client now provides Platform identification for the desktop operating systems (Windows, Mac OS X, and Linux) and a pool of MAC Addresses which can be used by DAPs.

We did not modify any commands.

 

TrustSec SGT Assignment for VPN

TrustSec Security Group Tags (SGT) can now be added to the SGT-IP table on the ASA when a remote user connects.

We introduced the following new command: security-group-tag value

 

High Availability Features

Improved support for monitoring module health in clustering

We added improved support for monitoring module health in clustering.

We modified the following command: show cluster info health

Disable health monitoring of a hardware module

By default, the ASA monitors the health of an installed hardware module such as the ASA FirePOWER module. If you do not want a hardware module failure to trigger failover, you can disable module monitoring.

We modified the following command: monitor-interface service-module

 

Platform Features

ASP Load Balancing

The new auto option in the asp load-balance per-packet command enables the ASA to adaptively switch ASP load balancing per-packet on and off on each interface receive ring. This automatic mechanism detects whether or not asymmetric traffic has been introduced and helps avoid the following issues:

  • Overruns caused by sporadic traffic spikes on flows
  • Overruns caused by bulk flows oversubscribing specific interface receive rings
  • Overruns caused by relatively heavily overloaded interface receive rings, in which a single core cannot sustain the load

We introduced or modified the following commands: asp load-balance per-packet auto, show asp load-balance per-packet, show asp load-balance per-packet history, and clear asp load-balance history

SNMP MIBs

The CISCO-REMOTE-ACCESS-MONITOR-MIB now supports the ASASM.

Interface Features

Transparent mode bridge group maximum increased to 250

The bridge group maximum was increased from 8 to 250 bridge groups. You can configure up to 250 bridge groups in single mode or per context in multiple mode, with 4 interfaces maximum per bridge group.

We modified the following commands: interface bvi, bridge-group

 

Routing Features

BGP support for ASA clustering

We added support for BGP with ASA clustering.

We introduced the following new command: bgp router-id clusterpool

 

BGP support for nonstop forwarding

We added support for BGP Nonstop Forwarding.

We introduced the following new commands: bgp graceful-restart, neighbor ha-mode graceful-restart

 

BGP support for advertised maps

We added support for BGPv4 advertised map.

We introduced the following new command: neighbor advertise-map

 

OSPF Support for Non-Stop Forwarding (NSF)

OSPFv2 and OSPFv3 support for NSF was added.

We added the following commands: capability, nsf cisco, nsf cisco helper, nsf ietf, nsf ietf helper, nsf ietf helper strict-lsa-checking, graceful-restart, graceful-restart helper, graceful-restart helper strict-lsa-checking


 

AAA Features

Layer 2 Security Group Tag Imposition

You can now use security group tagging combined with Ethernet tagging to enforce policies. SGT plus Ethernet Tagging, also called Layer 2 SGT Imposition, enables the ASA to send and receive security group tags on Gigabit Ethernet interfaces using Cisco proprietary Ethernet framing (Ether Type 0x8909), which allows the insertion of source security group tags into plain-text Ethernet frames.

We introduced or modified the following commands: cts manual, policy static sgt, propagate sgt, cts role-based sgt-map, show cts sgt-map, packet-tracer, capture, show capture, show asp drop, show asp table classify, show running-config all, clear configure all, and write memory

 

Removal of AAA Windows NT domain authentication

We removed NTLM support for remote access VPN users.

We deprecated the following command: aaa-server protocol nt

 

Monitoring Features

Monitoring Aggregated Traffic for Physical Interfaces

The show traffic command output has been updated to include aggregated traffic for physical interfaces information. To enable this feature, you must first enter the sysopt traffic detailed-statistics command.

Open Bugs

Table 4 contains open bugs in the latest maintenance release.

If you are running an older release, and you need to determine the open bugs for your release, then add the bugs in these sections to the resolved bugs from later releases. For example, if you are running Version 9.3(1), then you need to add the bugs in this section to the resolved bugs from 9.3(2) and higher to determine the complete list of open bugs.

If you are a registered Cisco.com user, view more information about each bug using the Bug Search at the following website:

https://tools.cisco.com/bugsearch

 

Table 4 Open Bugs in ASA Version 9.3

Bug
Description

CSCub34054

L2 Clustering:OSPFv2, Eigrp and OSPFv3 RIB not replicated to slave node

CSCun31976

ASA SFR: memory corruption following a sys install

CSCuq96462

WEBVPN: DWA_8_5 can not be accessed in FF15 via Kenton

CSCur49234

ASA Mgmt Session stuck on running "sh block exhaustion snapshot/history"

CSCur60264

On deleting access-list attached to route-map,ASA is not throwing ERROR

CSCur69227

ASA sporadic crypto errors with SSL VPN using TLS1.x DHE ciphers

CSCur69271

5506-5508: "show file info lfbff-k8.SPA" missing version and wrong size

CSCur75774

ACL Hash calculated using object NAME and not object value

CSCur81376

ASA traceback in Thread Name: ci/console, assertion "snp_sp_action.c"

CSCur86788

ASA5506: Packet-tracer shows output interface as "NP Identity Ifc

CSCur87011

ASA low DMA memory on low end ASA-X -5512/5515 devices

CSCur95551

ASA prefers Suite-B algorithms w/ AC Essentials enabled for AC IKEv2

CSCur98502

ASA: 'no monitor-interface service-module' command gone after reload.

CSCus02258

ASA 9.3.1 meaningful log message for "DAP: Processing error: Code 2991"

CSCus02918

ASA: speed slow down after creating multiple ACL entries via REST POST

CSCus08552

show traffic protocol statistics shows huge counter value

CSCus09225

"sysopt traffic detailed-statistics" not visible in "show run"

CSCus09229

CI-STS: ASA-6-305010 syslog is not generated after clear nat

CSCus11465

ASA teardown connection after receiving same direction fins

CSCus14449

ASA: traceback may occur in DATAPATH-0-1339 with ASDM ACL config

Resolved Bugs

Resolved Bugs in Version 9.3(2.200)

There were no resolved bugs in Version 9.3(2.200).

Resolved Bugs in Version 9.3(2)

Table 5 contains resolved bugs in ASA Version 9.3(2).

If you are a registered Cisco.com user, view more information about each bug using Bug Search at the following website:

https://tools.cisco.com/bugsearch

 

Table 5 Resolved Bugs in ASA Version 9.3(2)

Bug
Description

CSCtt88306

Syslog 106100 not generated on second context when cascading contexts.

CSCty17881

vpn-sessiondb detail missing Filter Name after IKEv1 rekey

CSCtz53586

ASA: Crash when out of stack memory with call-home configured

CSCub53088

Arsenal:twice NAT with service type ftp not working.

CSCug51375

ASA SSL: Continues to accept SSLv3 during TLSv1 only mode

CSCuh84378

ASA: Last packet in PCAP capture file not readable

CSCui27525

Idle timer and half-closed idle timer reset by out of sequence SYN

CSCul04263

ASA Webvpn CIFS vnode_create: VNODE ALLOCATION LIMIT 100000 REACHED!

CSCul22575

ASA 8.4.6 MAC Address flapping with Port-Channels and IPv6

CSCum91201

SSH timeout on ASA

CSCun43072

ASA5585-SSP60 Traceback in Thread Name SSH on Capture Command

CSCun64754

ASA may traceback when "write standby" command is entered twice

CSCun66613

ASA stops decrypting certain L2L traffic after working for some time

CSCun88736

ASA does not recognise "packet too big" for assembled ICMPv6 echo reply

CSCuo09383

ASA WebVPN Memory leak leading to Blank Portal Page/AnyConnect failure

CSCuo11778

ENH: Add "speed nonegotiate" command for fiber interfaces on ASA5585

CSCuo37603

object nat config getting deleted after reloaded with vpdn config

CSCuo42563

Traceback DHCP 'IP Address Assign' while upgrading ASAs in Failover

CSCuo45321

ASA allows IKEv1 clients to bypass address assignment, causing conflict

CSCuo53772

CWS: Large downloads on HTTPS fail when server side seq number wraps

CSCup08934

ASA WebVPN Rewriter: Custom HTTP Headers Not Properly Rewritten

CSCup16419

Traceback in Thread Name: ssh_init

CSCup35713

ASA tmatch_summary_alloc block leak in binsize 1024

CSCup36514

webvpn jscript post to wrong URL - ASA FQDN same as server FQDN

CSCup43257

ASA Traceback in Thread name: ci/console while modifying an object-group

CSCup46524

"no speed nonegotiate" command in ASA 5580 running 9.1.5 in show run

CSCup47195

ASA - Traceback in DATAPATH-0-1275

CSCup55377

ASA: Traceback Page Fault in vpnfol_thread_msg on Standby ASA

CSCup59499

ASA: BGP not performing outbound route-filtering

CSCup59774

No syslogs for ASDM or clientless access with blank username/password

CSCup60837

Personal bookmarks get deleted with ASA in Active/Standby failover

CSCup66273

ASA SSLVPN Citrix Java client error - java.lang.ClassNotFoundException

CSCup68697

WebVPN: uploading customized portal.css breaks the portal login page

CSCup70720

ASA crashes with Page Fault with multiple configuration sessions

CSCup74532

ASA failover standby device reboots due to delays in config replication

CSCup76212

ASA rewrites incorrect content-length in SIP message

CSCup85529

ASA Smart Call does not hide IPv6 addresses for ND

CSCup86857

IPv4 ACLs not working after merging IPv4 and IPv6 ACLs by upgrading

CSCup86960

ASA : Failover descriptor does not change after reconfiguring VLAN

CSCup87430

accounting not per rfc in dual factor auth case

CSCup90173

SNMP: Power supply OIDs missing if no power input on 5500-X

CSCup92782

ASA providing inaccurate Tunnel count to ASDM

CSCuq03216

IPsecOverNatT tunnel disappears after ASA failovers

CSCuq04306

Smart Tunnels Spawn "UNKNOWN Publisher" Warning w/Java 7 Update 60

CSCuq05768

Using "?" to list files in directory with thousands of files causing hog

CSCuq08854

Show memory app-cache command shows incorrect bytes if more than 2^32

CSCuq09352

vbscript getting caught in loop when passing thru ASA WebVPN Rewriter

CSCuq09709

Using ASA 9.2.1, Anyconnect weblaunch fails with URL-list in DAP

CSCuq20396

Traceback when executing "show crypto accelerator load-balance"

CSCuq21016

Local pool address not released -> Duplicate local pool address found

CSCuq24404

traceback in thread name: netfs_thread_init

CSCuq25488

WebVPN HTML Style "Overflow:Hidden" Breaks Custom Logon Pages

CSCuq26046

ASA - Traceback in thread name SSH while changing NAT configuration

CSCuq26812

ASDM Certificate validation failure

CSCuq28582

Cisco ASA VPN Failover Commands Injection Vulnerability

CSCuq28978

WebVPN: Rewriter issue with PATHIX Inspection Database

CSCuq29136

Cisco ASA SSL VPN Info Disclosure and DoS Vulnerability

CSCuq32943

ASA as DHCP relay, DHCP offer is not forwarded to the client

CSCuq33451

ASA: Increased processor temperature after upgrade

CSCuq35090

Webvpn: Support for XFRAME in additional portal and CSD pages

CSCuq35126

PPPoE with static IP address deny packets after reload ASA

CSCuq36615

Traceback caused by WCCP

CSCuq37448

Cisco ASA Failover IPSEC does not encrypt failover link

CSCuq37873

ASA : timeout floating-conn not working when PPPoE is configured

CSCuq38805

ASA 9.2 : Static Null route not redistributed over EIGRP to neighbors

CSCuq38807

ASA Radius Access-Request contains both User-Password and CHAP-Password

CSCuq39511

ASA: EIGRP neighbor relationship flapping

CSCuq39567

Traceback in Thread Name qos_metric_daemon caused by asdm history enable

CSCuq41510

Cisco ASA VNMC Input Validation Vulnerability

CSCuq42475

IPv6 tunneled route on link-local interfaces

CSCuq44875

ASA: CLI commands are not displaying options for local authorization

CSCuq46931

LDAP CLI: Quotes removed if ldap attribute-map name has spaces

CSCuq47381

DMA memory leak in 256 byte fragments with nbns-server config

CSCuq49455

ASA not sending RST packet for connections dropped by Botnet filter

CSCuq53421

ASA can use wrong trustpoint with rekeyed CAs are cfg in trustpoints.

CSCuq53636

ASA not sending PIM register message to RP

CSCuq54553

with Anyconnect deflate compression ASA gives ASA-3-722021 syslog

CSCuq57188

ASA returns wrong content-length for cut-thru proxy authentication page

CSCuq59667

ASA tracebacks in Thread Name: ssh due to watchdog

CSCuq60566

Incorrect content-length when maddr present with URI in SIP message body

CSCuq62164

IPv6 stateless autoconfiguration fails if managed config flag in RA

CSCuq62597

ASA L2TP Split-Tunnel DHCPC: DHCP daemon got msg for uninitialized

CSCuq62925

ASA: standby traceback during replication of specific privilege command

CSCuq65201

ASA Local CA generates unexpected renewal reminder message

CSCuq65542

Cisco ASA Software Version Information Disclosure Vulnerability

CSCuq66078

Traceback in clacp_enforce_load_balance with ASA Clustering

CSCuq68271

ASA Cluster slave unit loses default route due to sla monitor

CSCuq68888

Cisco ASA SSL VPN Memory Blocks Exhaustion Vulnerability

CSCuq72664

ASA - 80 Byte memory block depletion

CSCuq75981

ASA traceback in DATAPATH-0-2078 thread

CSCuq76847

ASA:Page fault traceback ACL FQDN Object-group

CSCuq77228

ASA Cluster: IDFW traceback inThread Name: DATAPATH-3-132

CSCuq77655

1550 block leak occur if DNS replies "refused" query response

CSCuq78238

Inspect rule defaults in standby transparent context on write standby

CSCuq80639

ASA5580 speed nonegotiate settings kept link down after shut/no shut

CSCuq87632

User membership not updated in parent group

CSCuq91793

ASA: RST packet forwarded with non-zero ACK number (and ACK flag clear)

CSCuq95704

There are two certificates related to one trustpoint on standby unit.

CSCuq98633

Object Group Search causing legitimate traffic to be dropped by ACL

CSCuq99852

Traceback on ASA when Attempting to Join Cluster with Low Memory

CSCur02239

ASA ACL hitcount not correct for ACLs with service object groups

CSCur07061

Traceback on standby ASA during hitless upgrade

CSCur16308

DHCP Relay reloads after changing server interface

CSCur17329

SDI authentication doesn't work in more than one contexts.

CSCur17483

nested custom write functions causing blank page through rewriter

CSCur24059

Control Plane ACL Not Working for Redirected HTTP Traffic

CSCur25431

ASA assert traceback on Standby Unit in c_idfw.c

CSCur25542

Traceback: pki-crl: Thread Name: Crypto CA with traffic through VPN L2L

CSCur27845

ASA Client login timeout issue due to proxy match inconsistency

CSCur36898

EIGRP tag incorrectly send by ASA

CSCur38451

ASA DSCP marking applies to all SSL traffic

CSCur42907

Failed to allocate global ID when adding service-policy

CSCur42998

traceback @ hash_table_simple.c:192

CSCur47804

ASA Crash in vpnfol_thread_msg thread

CSCur52712

Webvpn: Support for XFRAME for non-critical URL's

CSCur54570

ASA accounting request does not contain radius-class(25) attribute

CSCur56689

RSH inspect conn not replicated to standby with cut_thru missing punt

CSCur59397

ASA SCP Client does not prompt for password when not inc. in copy string

CSCur64589

DATAPATH Traceback in snp_mp_svc_udp_upstream_data function

CSCur64659

ASA Traceback in Thread Name: DATAPATH-6-2544

CSCur66635

ASA Traceback in Thread Name: DATAPATH-3-1274

Resolved Bugs in Version 9.3(1)

Table 6 contains resolved bugs in ASA Version 9.3(1).

If you are a registered Cisco.com user, view more information about each bug using Bug Search at the following website:

https://tools.cisco.com/bugsearch

 

Table 6 Resolved Bugs in ASA Version 9.3(1)

Bug
Description

CSCsk87165

ENH - Add device serial number and platform string to show run output

CSCsm81086

Allow user to exclude the status of the SSM or SSP from failover checks

CSCsw79856

'LU allocate xlate failed' syslog should include more data

CSCsz39633

Double auth not triggered if using secondary-aaa-server per interface

CSCtb71323

Cisco ASA Webtype ACL By-Pass Vulnerability

CSCtc18329

ACL renamed but syslog doesn't reflect new name

CSCtc61848

ENH - show traffic should include packet size distribution and flow info

CSCtd14339

block and chunk data needs to be included at beginning of crashinfo

CSCtf39306

show blocks exhaustion snapshot only takes single snapshot

CSCtj51276

Implement a syslog to indicate the version of the anyConnect client

CSCtk66541

ENH: ASA drops ICMP Error Reply for uni-directional SCTP Traffic

CSCtn30286

DHCP Relay needs to handle DHCPREQUEST differently

CSCtx55340

Easy VPN Remote not re-establishing nem-st-autoconnect setting changed

CSCty28878

ASA SSLVPN/DTLS: Copy inner packet TOS field to outer header

CSCtz92586

A warning message is needed when a new encryption license is applied

CSCub05888

Asa 5580-20: object-group-search access-control causes failover problem

CSCub13208

ASA transparent mode should support 'inspect icmp error'

CSCuc39071

AC Script/customi:no 'linux-64' option(maybe it should be 'freeform'?)

CSCuc80975

ASA5500-x: "speed nonegotiate" command not available for fiber interface

CSCud24785

Slow throughput of AnyConnect client w/DTLS compared to IPSec IKEv1

CSCue51351

ASA: Huge NAT config causes traceback due to unbalanced p3 tree

CSCue87407

DNS: Inspection drops non in-addr.arpa PTR queries

CSCug14102

Need Syslog containing assigned IP address for AnyConnect IKEv2

CSCug18734

ENH: Citrix Receiver proxy on ASA support for backend Storefront server

CSCug51755

ICMP destination unreachable for L2TP PMTU error not sent to server

CSCug87445

SVC_UDP Module is in flow control with a SINGLE DTLS tunnel

CSCuh01570

Dropped packets/Retries/Timeout on applying a huge ACL on existing acl

CSCuh61321

AC 3.1:ASA incorrectly handles alternate DTLS port,causes reconnect

CSCuh79288

ASA 9.1.2 DHCP - Wireless Apple devices are not getting an IP via DHCPD

CSCui30677

ENH - SCP Support on the ASA

CSCui44095

ASA 9.1: timer app id was corrupted causing to Dispatch Unit traceback

CSCui53710

ACL Migration to 8.3+ Software Unnecessarily Expands Object Groups

CSCui56863

ASA may reload with traceback in Thread Name: vpnfol_thread_msg

CSCui63001

ASA traceback in Thread Name: fover_parse during command replication

CSCui79979

ASA 9.1.2 - Traceback in Thread Name: fover_parse during configuration

CSCui82751

%ASA-6-113005 should contain IP that initiated failed auth attempt

CSCui95392

WebVPN portal page misses large title after portal redesign

CSCuj26816

ENH - ASA and AAA Operations

CSCuj35576

ASA OSPF route stuck in database and routing table

CSCuj45406

ASA: Page fault traceback with 'show dynamic-filter dns-snoop detail'

CSCuj68420

ASA SMR: Multicast traffic for some groups stops flowing after failover

CSCuj83344

ASA cifs share enumeration DOS vulnerability

CSCuj98221

IDFW: user-group is not deactivated even if IDFW ACL is removed

CSCul00624

ASA: ARP Fails for Subinterface Allocated to Multiple Contexts on Gi0/6

CSCul02052

ASA fails to set forward address in OSPF route redistrubution

CSCul05079

ASA Memory usage in a context rises

CSCul07504

CWS: ASA forwards HTTPS packets to CWS tower in wrong sequence

CSCul16778

vpn load-balancing configuration exits sub-command menu unexpectedly

CSCul22237

ASA may drop all traffic with Hierarchical priority queuing

CSCul25576

ASA: Page fault traceback after running show asp table socket

CSCul28082

ASA traceback in Thread Name: DATAPATH due to double block free

CSCul33381

ASA 5505 SIP packets may have extra padding one egress of 5505

CSCul34143

ENH: Need to optimize messages printed on upgrade from 8.2- to 8.3+

CSCul34702

ASA Unicorn rewriter memory corruption

CSCul37560

ASA traceback when uploading an image using FTP

CSCul46000

2048 byte block depletion with Smart-Tunnel Application

CSCul46971

ASA Transparent mode doesn't pass DHCP discover message

CSCul47395

ASA should allow out-of-order traffic through normalizer for ScanSafe

CSCul49796

ASA Tranparent A/A - Replicated MAC addresses not deleted after timeout

CSCul52942

ASA failover cluster traceback when replicating the configuration

CSCul55863

ASA with ICMP insp. drops replies with 'seq num not matched' code

CSCul60058

Case sensitivity check missing for Web Type ACL and Access-group

CSCul60950

IPSEC VPN - One crypto ACE mismatch terminates all Phase2 with that peer

CSCul61545

ASA Page Fault Traceback in 'vpnfol_thread_msg' Thread

CSCul62357

ASA fails to perform KCD SSO when web server listens on non-default port

CSCul64980

Acct-stop for VPN session doesn't send out when failover occurred

CSCul65863

ASA IGMP receiver-specific filter blocks all multicast receivers

CSCul67705

ASA sends RST to both ends when CX policy denies based on destination IP

CSCul68338

WEBVPN IE 11: CIFS bookmarks showing with unicode

CSCul68363

EIGRP: Auth key with space replicates to Secondary with no space

CSCul69592

ASA:Webvpn character encoding instructions unclear

CSCul70062

Capture Isakmp w/ match statement cause Standby to reload at replication

CSCul70712

ASA: ACL CLI not converting 0.0.0.0 0.0.0.0 to any4

CSCul73785

WEBVPN multiple issues with LMS application

CSCul74286

ASA: Phy setting change on member interfaces not seen on port-channel

CSCul77465

BPDUs on egress from ASA-SM dropped on backplane

CSCul83331

Redundant IFC not Switching Back

CSCul94773

ASA TCP Proxy can corrupt data, cause ACK storms and session hangs

CSCul96580

ASA tears down SIP signaling conn w/ reason Connection timeout

CSCul96864

ASA translates the source address of OSPF hello packets

CSCul98420

'Route-Lookup' Behavior Assumed for Twice NAT with Identity Destination

CSCum00360

ASA - DHCP Discover Sent out during boot process

CSCum00826

ASA reloads on Thread name: idfw_proc

CSCum01313

ASA drops DHCP Offer packet in ASP when nat configured with "Any"

CSCum06272

ASA reloads due to SSL processing

CSCum11724

secondary standby looses his cluster license after upgrade to 8.4.(7.3)

CSCum12633

webvpn issue,part of the http request not sent by the client to ASA

CSCum16576

ASA not allowing AC IKEv2 Suite-B with default Premium Peer license

CSCum16787

SSH: ASA 9.1.3 rare traceback observed during ping command

CSCum23018

ASA traceback with Thread Name: IKE Common thread

CSCum24634

IKEv1 - Send INVALID_ID_INFO when received P2 ID's not in crypto map

CSCum26955

Webvpn: Add permissions attribute to portforwarder jar file

CSCum26963

Webvpn: Add permissions attribute to mac smart-tunnel jar

CSCum28756

ASA: Auth failures for SNMPv3 polling after unit rejoins cluster

CSCum32334

WebVPN: ASA webVPN fails to rewrite dynamic content of pubmed website

CSCum35118

ASA:Traceback in Thread Name: DATAPATH-23-2334

CSCum37080

Traceback in IKEv2 Daemon with AnyConnect Failure

CSCum39328

uauth session considered inactive when inspect icmp is enabled

CSCum39333

idle time field is missing in show uauth output

CSCum47174

WebVPN configs not synchronized when configured in certain order-v3

CSCum51780

Problem configuring QOS priority with user-statistic on same policy-map

CSCum54163

IKEv2 leaks embryonic SAs during child SA negotiation with PFS mismatch

CSCum56003

Smart-tunnel for windows-Liveconnect exception-JRE 1.7u51

CSCum60784

ASA traceback on NAT assert on file nat_conf.c

CSCum63417

ASA should not allow interface MTU config greater than 9202/9198

CSCum65278

ASA 5500-X: Chassis Serial Number missing in entity MIB

CSCum68923

Webvpn: connecting to oracle network SSO returns error

CSCum68951

Webvpn: web applications that may refresh a page with "#" fail

CSCum69144

HTTP redirect to the VPNLB address using HTTPS fails in 9.1.4/9.0.4.x

CSCum70178

Datapath:Observing Deadlock in different DATAPATH threads

CSCum72854

Traffic does not hit Twice NAT configured after Static PAT

CSCum75214

ASA5585-SSP60 Teardown process is delayed under heavy traffic condition

CSCum75871

Traceback on standby ASASM when executing the failover active command

CSCum76734

ASA Backup scansafe tower is never polled

CSCum80899

ASA: Watchdog traceback in Unicorn Admin Handler with TopN host stats

CSCum82760

ASA traceback in Unicorn Admin Handler

CSCum82840

ASA: Traceback in pix_flash_config_thread when upgrading with names

CSCum84247

ASA - VPN session leak for IKEv2 if L2L sessions land on RA tunnel group

CSCum85047

Traceback in Thread: IPsec message handler with rip-tlog_event_allocate

CSCum85858

ASA Cluster: Unable to stop captures on CCL in a context

CSCum86538

SunRPC GETPORT Reply dropped when two active sessions use same xid

CSCum89182

show cluster info goid output needs formatting

CSCum91360

Aborted AnyConnect Authentications can cause resource leak

CSCum92080

Sourcefire Defense Center not able to be rendered via Clientless SSL VPN

CSCum93731

ASA 9.1.3 SNMP Traceback in Thread Name: SNMP

CSCum94542

Traceback in Thread Name: ci/console

CSCum95843

IKEv2 routes not installed if Dynamic and Static Crypto Map Match

CSCum96204

ASA cluster - RSA key size 4096 bits is not replicated cluster members

CSCun04658

Assigned IP in show vpn-sessiondb anyconnect is missing.

CSCun07943

Windows ICMP based Tarceroute through ASA faling

CSCun08017

ASA WebVPN memory leak - blank portal page

CSCun09515

capture option to be provided to collect pcap frm node other than master

CSCun10189

Ping doesn't work between peer IPs when answer-only is configured

CSCun10844

Java rewriting takes too much time

CSCun11323

ASA: Traceback in aware_http_server_thread after upgrade

CSCun12838

ASA Traceback in DATAPATH-1-1400 with error message shrlock_join_domain

CSCun15560

ASA-IC-6GE-SFP-C SFP port doesn't come up

CSCun16022

ASA traceback in Thread Name: IKE Daemon: with CX redirect in place.

CSCun16067

DAP creates dynamic ACLs even if single ACL selected.

CSCun17705

Regex modification within context causes ASA traceback

CSCun19025

ASA WebVPN login page XSS vulnerability

CSCun20457

ASA 9.1.x should accept RIP V1 updates

CSCun21186

ASA traceback when retrieving idfw topn user from slave

CSCun23552

XenDeskTop7:cannot relogin to StoreFront ineterface after logoff

CSCun25386

Anyconnect: Split-Tunnel dose not work with subnet 0.0.0.0/1

CSCun25809

AnyConnect Password Management Fails with SMS Passcode

CSCun28999

When long line is entered on cli, all chars > 510 silentl y discarded

CSCun31725

ASA using IKEv2 rejects multiple NAT_DETECTION_SOURCE_IP payloads

CSCun32324

ASA Cluster ICMP with PAT not functional on reload

CSCun32388

ASA 5585 cluster indicating SSM card down but no SSM module

CSCun32897

Data path: ASA traceback in CTM message handler

CSCun40620

ASA IPSec - DNS reply for RA client dropped when LZS compression enabled

CSCun41702

L2TP/IPSec connection is failed when there is PAT router.

CSCun41817

Hash calculated for multiple ACEs on ASA are same

CSCun41818

ASA: Traceback in thread Name: DATAPATH-1-2581

CSCun43082

ASA Tears Down Connections With Reason of 'snp_drop_none'

CSCun44108

Unable to access webvpn portal when CSD and IE content advisor enabled.

CSCun44541

ASA cut a part of credential data during cut-thru proxy authentication

CSCun45520

Cisco ASA DHCPv6 Denial of Service Vulnerability

CSCun48868

ASA changes to improve CX throughput and prevent unnecessary failovers

CSCun59095

ASDM interface graph showing bogus values in S/W and H/W output queue

CSCun59657

ASA-SM not sending SNMP traps with 9.0.4

CSCun61466

terminal width command is deleted when removing other context

CSCun66161

5585-20 8.4.7.11 traceback in Thread Name Datapath w/ DCERPC inspection

CSCun66306

IDM/IME/File Transfer Slow For Certain Source and Destination IP Pairs

CSCun69669

Posture assement failing after HS upgrade to 3.1.05152

CSCun71016

OSPFv3 route stuck in routing table after failover

CSCun71586

MEMLEAK: 128 byte leaks when requesting IPv6 address for AnyConnect

CSCun75965

Name for IPv6 address causes objects to became empty after reload

CSCun78551

Cisco ASA Information Disclosure Vulnerability

CSCun81982

Packet-tracer showing incorrect result for certain NAT configurations

CSCun83186

Nameif command not allowed on TFW multimode ASA with clustering

CSCun85465

'ASA modifies Request Host Part under 'ACK' packet for SIP connection'

CSCun86984

ASA 5505 u-turned/hairpinned conn counts toward license local-host limit

CSCun88276

High CPU with IKE daemon Process

CSCun95075

ASA drops packet due to nat-no-xlate-to-pat-pool after removing NAT rule

CSCun96170

ASA 8.4.6: Traceback with fover_FSM_thread

CSCuo00627

Saleen copper module port speed/duplex changes ineffective

CSCuo02948

To the box traffic dropped due to vpn load-balancing (mis)configuration

CSCuo03555

SNMP: cpmCPUTotal5sec/1min/5min return "0"

CSCuo03569

VPN client firewall and split-tunneling mishandle "inactive" acl rules

CSCuo04965

Clientless scrollbar on right hand side of the screen doesn't render

CSCuo05186

ASA 9.1 DMA Memory exhaustion in 240 binsize

CSCuo08511

ASA 9.0.4.1 traceback in webvpn datapath

CSCuo09383

ASA WebVPN Memory leak leading to Blank Portal Page/AnyConnect failure

CSCuo10869

VPN-filter ACL drops all traffic after upgrade for pre 8.3 to 9.x

CSCuo11057

IPsec transform sets mode changes from transport to tunnel after editing

CSCuo11867

CSCub92315 fix is incomplete

CSCuo14701

Interop: relax PrintableString encoding enforcement in PKI

CSCuo19916

ASA - Cut Through Proxy sends empty redirect w/ Virtual HTTP and Telnet

CSCuo23892

ASA SIP Inspect:'From: header' in the INVITE not NATed for outbound flow

CSCuo26501

ASA: Traceback in Thread Name: Dispatch Unit when enable debug ppp int

CSCuo26632

ASA SSLVPN OWA 2007: Unable to attach files >= 1 MB with KCD enabled

CSCuo27866

Traceback on DATAPATH-7-1524 Generating Botnet Filter Syslog

CSCuo32369

ASA WebVPN Rewriter: CSCOGet_location Improperly Pulls Full Web Address

CSCuo33186

Traceback with thread DATAPATH-2-1181

CSCuo44216

ASA traceback (Page fault) during xlate replication in a failover setup

CSCuo46136

ASA does not relay BOOTP packets

CSCuo49385

Multicast - ASA doesn't populate mroutes after failover

CSCuo54393

ASA: HTTP searchPendingOrders.do function failing over WebVPN

CSCuo54448

WebVPN capture causes conflict with other capture types

CSCuo58411

ASA IKEv2 "Duplicate entry in tunnel manager" (post 9.1.5)

CSCuo60435

ASA: Webvpn using incorrect password for auto-signon with Radius/OTP

CSCuo61372

ASA doesn't send invalid SPI notify for non-existent NAT-T IPSec SA

CSCuo63172

ASA 9.1.(3)4 Memory Leak in KCD

CSCuo64803

ASA Rewriter does not support encoded values for characters like " ' "

CSCuo70963

WebVPN: Javascript rewrite issue with Secret Server Application

CSCuo73792

ASA 9.x Management Port-Channel Cannot configure management-only in TFW

CSCuo78285

Firewall may crash while clearing the configuration

CSCuo78892

Traceback when using IDFW ACL's with VPN VPN Filters

CSCuo82612

5585-20 9.2.1 Traceback in Thread Name: DATAPATH-1-1567

CSCuo84225

CIFS drag & drop not working with remote file explorer over webvpn

CSCuo88253

ASA NAT: Some NAT removed after upgrade from 8.6.1.5 to 9.x

CSCuo89924

Giaddr to be set to the address of interface facing the client.

CSCuo91763

ASA allows to empty an access-list referenced elsewhere

CSCuo95074

ASA - crash in SSL Client compression in low memory conditions

CSCuo95602

Standby ASA traceback on Fover_Parse with Botnet Filter

CSCuo97036

show vpn load-balancing shows Public addr as Cluster IP addr for Master

CSCuo99186

Inconsistencies seen while sending warmstart trap on reload

CSCup00433

Failover Standby unit has higher memory utilization

CSCup01676

ASA: Crash in DATAPATH

CSCup05772

Snmp-server hosts entries are lost when upgrading from 9.1(4) to 9.1(5)

CSCup07447

ASA WebVPN: Script error when using port-forwarding

CSCup08262

9.0(4)5 - Unable to access internal site via clientless SSLVPN

CSCup08912

ASA SSLVPN Java plugins fail through proxy with Connection Exception

CSCup09236

L2TP/IPsec fragmentation change causing ICMP-PMTU being sent

CSCup09881

show webvpn kcd Error code 2 (ERROR_FILE_NOT_FOUND)

CSCup09958

ASA: Webvpn Clientless - certificate authentication fails intermittently

CSCup13265

ASA - Traceback in thread name: sch_prompt anonymous reporting

CSCup16512

ASA traceback in Thread Name : Checkheaps when snmp config is cleared

CSCup16860

IKEv2 DPD is sent at an interval not correlating to the specified value

CSCup24465

Jumbo frame calculations are incorrect or hard coded

CSCup26021

TCP intercept does not work after embryonic connection ends

CSCup26347

ASA Panic: CP Processing - ERROR: shrlock_join_domain

CSCup32973

ASA EIGRP does not reset hold time after receiving update

CSCup33868

ASA doesn't apply vpn-filter if group policy is assigned by Cisco VSA 25

CSCup36543

WebVPN Problem- icons missing, buttons not working

CSCup40357

SNMP: Unable to verify presence of second power supply in ASA 5545

CSCup44564

Remove Comment in Cookie

CSCup47885

ASA: Page fault traceback in DATAPATH when DNS inspection is enabled

CSCup48772

ASA - Wrong object-group migration during upgrade from 8.2

CSCup48979

ASA - Permitting/blocking traffic based on wrong IPs in ACL

CSCup50857

ASA traceback in thread name idfw_adagent

CSCup54184

ASA Overwrite any file on WebVPN RAMFS

CSCup59017

ASA with ACL optimization crashing in "fover_parse" thread

End-User License Agreement

For information on the end-user license agreement, go to:

http://www.cisco.com/go/warranty

Related Documentation

For additional information on the ASA, see Navigating the Cisco ASA Series Documentation :

http://www.cisco.com/go/asadocs

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.

Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.